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TECHNICAL  SUMMARY 


^  Our  research  concentrated  on  the  following  topics: 

•  '‘‘Special  Relations  in  Automated  Deduction  ([MWl]) 

Theorem  provers  liave  exhibited  super-human  abilities  in  limited,  obscure  subject  domains 
but  seem  least  competent  in  areas  in  which  human  intuition  is  best  developed.  One  reason  for  this 
is  that  an  axiomatic  formalization  requires  us  to  state  explicitly  facts  that  a  person  dealing  in  a 
familiar  subject  would  consider  too  obvious  to  mention;  the  proof  must  take  each  of  these  facts  into 
account  explicitly.  A  person  who  is  easily  able  to  construct  an  argument  informally  may  be  too 
swamped  in  detail  to  understand,  let  alone  produce,  the  corresponding  formal  proof.  A  continuing 
effort  in  our  research  is  to  make  formal  theorem  proving  more  closely  resemble  intuitive  reasoning. 

One  case  in  point  is  our  treatment  of  special  relations. 

In  most  proofs  of  interest  for  program  synthesis,  certain  mathematical  relations,  such  as  equal¬ 
ity  and  orderings,  present  special  difficulties.  These  relations  occur  frequently  in  specifications  and 
in  derivation  of  proofs.  If  their  properties  are  represented  axiomatically,  proofs  become  lengthy, 
difficult  to  understand,  and  even  more  difficult  to  produce  or  discover  automatically.  Axioms  such 
as  transitivity  have  many  consequences,  most  of  which  are  irrelevant  to  the  proof;  including  them 
produces  an  explosion  in  the  search  space. 

For  the  equality  relation,  the  approach  that  was  adopted  early  on  is  to  represent  its'properties 
with  rules  of  inference  rather  than  axioms.  In  resolution  systems,  two  rules  of  inference,  paramod- 
ulation  (Wos  and  Robinson)  and  E-resolution  (Morris),  were  introduced.  Proofs  using  these  rules 
are  shorter  and  clearer,  because  one  application  of  a  rule  can  replace  the  application  of  several 
axioms.  More  importantly,  we  may  drop  the  equality  axioms  from  the  clause  set,  thus  eliminating 
their  numerous  consequences  from  the  search  space. 

We  have  discovered  two  rules  of  inference  that  play  a  role  for  an  arbitrary  relation  analogous 
to  that  played  by  para  modulation  and  E-resolution  for  the  equality  relation.  These  rules  apply  to 
sentences  employing  a  full  set  of  logical  connectives;  they  need  not  be  in  the  clause  form  required 
by  traditional  resolution  theorem  provers.  We  intend  both  these  rules  to  be  incorporated  into 
theorem  provers  for  program  synthesis. 

Employing  the  new  special-relations  rules  yields  the  same  benefits  for  an  arbitrary  relation 
as  using  paramodulation  and  E-resolution  yields  for  equality:  proofs  become  shorter  and  more 
comprehensible  and  the  search  space  becomes  sparser. 

A  Binary-Search  Algorithms  ([MW2])  ^  '  - 

1  s 

Some  of  the  most  efficient  numerical  algorithms  rely  on  a  binary-search  strategy;  according  to - 

this  strategy,  the  interval  in  which  the  desired  output  is  sought  is  divided  roughly  in  half  at  each _ 

iteration.  This  technique  is  so  useful  that  some  authors  (e.g.,  Dershowitz  and  Manna,  and  Smith 
)  have  proposed  that  a  general  binary-search  paradigm  or  schema  be  built  into  program  synthesis  j 
systems  and  then  specialized  as  required  for  particular  applications.  ^ 

It  is  certainly  valuable  to  store  such  schemata  if  they  are  of  general  application  and  difficult  to 

discover.  This  approach,  however,  leaves  open  th°  question,  of  how  schemata  are  discovered  in  the - 

first  place.  We  have  found  that  the  concept  of  binary  search  appears  quite  naturally  and  easily  in 

the  derivations  of  some  numerical  programs.  The  concept  arises  as  the  result  of  a  single  resolution  Codes 
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step,  between  a  goal  and  itself,  using  our  deductive-synthesis  techniques  (Manna  and  YValdinger 
[80]). 


The  programs  we  have  produced  in  this  way  (e.g.,  real-number  quotient  and  square  root, 
integer  quotient  and  square  root,  and  array  searching)  are  quite  simple  and  reasonably  efficient, 
but  are  bizarre  in  appearance  and  different  from  what  we  would  have  constructed  by  informal 
means.  For  example,  we  have  developed  bv  our  synthesis  techniques  the  following  real-number 
square-root  program  sqrt(r,£): 


sqrt(r,  e) 


< 


if  maz(r ,  1 )  <  e 
then  0  5 

else  if  [sr/rf(r,  2c)  +  ‘I*  <  '• 
then  sqrt(r,  2c)  +  c 
else  sqrt(r ,  2c). 


The  program  tests  if  the  error  tolerance  c  is  sufficiently  large;  if  so,  0  is  a  close  enough  approxi¬ 
mation.  Otherwise,  the  program  finds  recursively  an  approximation  within  2c  less  than  the  exact 
square  root  of  r.  It  then  tries  to  refine  this  estimate,  increasing  it  by  c  if  the  exact  square  root  is 
large  enough  and  leaving  it  the  same  otherwise. 

This  program  was  surprising  to  us  in  that  it  doubles  a  number  rather  than  halving  it  as  the 
classical  binary-search  program  does.  Nevertheless,  if  the  repeated  occurrences  of  the  recursive  call 
sqrt{r,  2c)  are  combined  by  common-subexpression  elimination,  this  program  is  as  efficfent  as  the 
familiar  one  and  somewhat  simpler. 

>  A  Theory  of  PlanSj([MW3][MW4]) 

Problems  in  commonsense  and  robot  planning  were  approached  by  methods  adapted  from 
our  program-synthesis  research;  planning  is  regarded  as  an  application  of  automated  deduction. 
To  support  this  approach,  we  introduced  a  variant  of  situational  logic  (Manna  and  Waldinger 
[SI]),  called  plan  theory ,  in  which  plans  are  explicit  objects.  A  machine-oriented  deductive-tableau 
inference  system  is  adapted  to  plan  theory.  Equations  and  equivalences  of  the  theory  are  built  into 
a  unification  algorithm  for  the  system.  Frame  axioms  are  built  into  the  resolution  rule. 

Special  attention  was  paid  to  the  derivation  of  conditional  and  recursive  plans.  Inductive 
proofs  of  theorems  for  even  the  simplest  planning  problems,  such  as  clearing  a  block,  have  been 
found  to  require  challenging  generalizations. 

•  ^Deductive  Synthesis  of  Dataflow  Networks  ([JMW])  .  4- 

The  synthesis  of  concurrent  programs  is  much  more  complicated  than  the  synthesis  of  se¬ 
quential  programs.  In  general,  a  concurrent  program  does  not  have  a  single  input  value  and  a 
single  output  value,  but  receives  several  inputs  and  sends  several  outputs  during  its  execution.  If 
we  consider  sequences  of  input  and  output  values,  then  we  can  specify  a  concurrent  program  by 
giving  a  relation  between  the  sequence  of  input  values  and  the  sequence  of  output  values.  This 
specification  method  is  natural  especially  for  networks  of  deterministic  processes  that  communicate 
asynchronously  by  sending  messages  over  buffered  channels.  Deterministic  data  flow  networks  fall 
into  this  category. 


We  have  developed  a  method  for  the  deductive  synthesis  of  deterministic  dataflow  networks, 
which  are  specified  by  a  relation  between  sequences  of  input  values  and  sequences  of  output  values. 


Our  synthesis  method  consists  of  two  stages.  The  first  stage,  the  deductive-synthesis  stage, 
starts  from  a  specification  of  the  network.  Using  the  deductive-tableau  techniques  of  Manna  and 
Waldinger  [80],  a  system  of  recursive  equations  is  synthesized.  This  system  can  be  regarded  as 
an  applicative  program  that  satisfies  the  specification  for  the  network,  but  it  does  not  directly 
^ I,  it  3  represent  any  structure  or  parallelism  of  a  network.  In  the  second  stage,  the  system  of  recursive 
equations  is  transformed  into  a  dataflow  network. 


t**  Logic:  The  Calculus  of  Computer  Science  (([MW5]) 

The  research  papers  in  which  we  have  presented  thje  deductive  approach  to  program  synthesis 
has  been  addressed  to  the  usual  academic  readers  of  the  scholarly  journals.  In  an  effort  to  make  this 
work  accessible  to  a  wider  audience,  including  computer  science  undergraduates  and  programmers, 
we  have  developed  a  more  elementary  treatment  in  the  form  of  a  two-volume  book.  The  Logical 
Basis  for  Computer  Programming ,  Addison- Wesley  (Manna  and  Waldinger  [85c]). 

This  book  requires  no  computer  programming  and  no  mathematics  other  than  an  intuitive 
understanding  of  sets,  relations,  functions,  and  numbers;  the  level  of  exposition  is  elementary. 
Nevertheless,  the  text  presents  some  novel  research  results,  including 


•  theories  of  strings,  trees,  lists,  finite  sets  and  bags,  which  are  particularly  well  suited  to 
theorem- proving  and  program-synthesis  applications; 

•  formalizations  of  parsing,  infinite  sequences,  expressions,  substitutions,  and  unification; 

•  a  nonclausal  version  of  skolemization; 


•  a  treatment  of  mathematical  induction  in  the  deductive-tableau  framework. 

Verification  of  Concurrent  Programs^fMPl]) 

We  studied  in  detail  the  proof  methodologies  for  verifying  temporal  properties  of  concurrent 
programs.  Corresponding  to  the  main  classification  of  temporal  properties  into  the  classes  of  safety 
and  liveness  properties,  appropriate  proof  principles  were  presented  for  each  of  the  classes. 

We  developed  proof  principles  for  the  establishment  of  safety  properties.  We  showed  that 
essentially  there  is  only  one  such  principle  for  safety  proofs,  the  invariance  principle,  which  is  a 
generalization  of  the  method  of  intermediate  assertions.  We  also  indicated  special  cases  under 
which  these  assertions  can  be  found  algorithmically. 


The  proof  principle  that  we  developed  for  liveness  properties  is  based  on  the  notion  of  well- 
founded  descent  of  ranking  functions.  However,  because  of  the  nondeterminancy  inherent  in  concur¬ 
rent  computations,  the  well-founded  principle  must  be  modified  in  a  way  that  is  strongly  dependent 
on  the  notion  of  fairness  that  is  assumed  in  the  computation.  Consequently,  three  versions  of  the 
well-founded  principle  were  presented,  each  corresponding  to  a  different  definition  of  fairness. 

- -  -Jfc  A  Resolution  Approach  to  Temporal  Proofs  i([A][AMl][AM2])  >  ^ 

A  novel  proof  system  for  temporal  logic  was  developed.  The  system  is  based  on  the  classi¬ 
cal  non-clausal  resolution  method,  and  involves  a  special  treatment  of  quantifiers  and  temporal 
operators. 

Soundness  and  completeness  issues  of  resolution  and  other  related  systems  were  investigated. 
While  no  effective  proof  method  for  temporal  logic  can  be  complete,  we  established  that  a  simple 
extension  of  the  resolution  system  is  as  powerful  as  Peano  Arithmetic. 
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The  use  of  temporal  logic  as  a  programming  language  was  explored.  We  suggested  that  a 
specialized  temporal  resolution  system  could  effectively  interpret  programs  written  in  a  restricted 
version  of  temporal  logic. 

We  also  provided  analogous  resolution  systems  for  other  useful  modal  logics,  such  as  certain 
modal  logics  of  knowledge  and  belief. 

^  Specification  and  Verification  by  Predicate  Automata HMP2]) 

We  examined  the  possibility  of  specifying  and  verifying  temporal  properties  using  an  extension 
of  finite-state  automata,  called  predicate  automata.  These  automata  extend  the  conventional  notion 
of  automata  in  three  respects.  The  first  extension  is  that  the  conditions  for  transitions  between 
states  can  be  arbitrary  predicates  expressed  in  a  first-order  language.  The  second  extension  is  that 
these  automata  inspect  infinite  input  sequences,  and  hence  a  more  complex  acceptance  criterion 
is  needed.  The  third  extension  is  that  non-determinism  is  interpreted  universally,  rather  than 
existentially,  as  is  the  case  in  conventional  non-det*  i  ministic  finite-state  automata.  This  means 
that  if  the  automata  can  generate  several  possible  runs,  in  response  to  a  given  input,  then  it  is 
required  that  all  runs  are  accepting. 

Bv  introducing  conventions  for  representing  automata  in  a  structured  form,  we  demonstrated 
that  specification  of  temporal  properties  by  automata  can  become  very  legible  and  understandable, 
and  presents  a  viable  alternative  to  their  formulation  in  temporal  logic. 


A  single  proof  rule  was  presented  for  proving  that  a  given  program  satisfies  a  property  speci¬ 
fiable  by  a  predicate  automaton.  The  rule  was  shown  to  be  sound  and  relatively  complete. 


5*  A  Hierarchy  of  Temporal  Properties 


HMP3]) 


We  proposed  a  classification  of  temporatp^operties  into  a  hierarchy  which  refines  the  known 
setfety-liceness  classification  of  properties.  The  classification  is  based  on  the  different  ways  a  prop¬ 
erty  of  finite  computations  can  be  extended  into  a  property  of  infinite  computations. 


This  hierarchy  was  studied  from  three  different  perspectives,  which  were  shown  to  agree.  Re¬ 
spectively,  we  examined  the  cases  in  which  the  finitary  properties,  and  the  infinitarv  properties 
extending  them,  are  unrestricted,  specifable  by  temporal  logic,  and  specifiable  by  predicate  au¬ 
tomata.  The  unrestricted  view  leads  also  to  a  topological  characterization  of  the  hierarchy  as 
occupying  the  lowest  two  levels  in  the  Borel  hierarchy. 

For  properties  that  are  expressible  by  temporal  logic  and  predicate  automata,  we  provide 
a  syntactic  characterization  of  the  formulae  and  automata  that  specify  properties  of  the  differ¬ 
ent  classes.  The  temporal  logic  characterization  strongly  relies  on  the  use  of  the  past  temporal 
operators. 

Corresponding  to  each  class  of  properties,  we  presented  a  proof  principle  that  is  adequate  for 
proving  the  validity  of  properties  in  that  class. 


^  Logic  Programming  Semantics:  Techniques  and  Applications  (JBl]-[B3|)  \ 

*'  (^Us  /j  h  -  I  -  Vf 

ft  is  generally  agreed  that  providing  a  precise  formal  semantics  for  a  firogramining  language  is 
helpful  in  fully  understanding  the  language.  This  is  especially  true  in  the  case  of  logic-programming¬ 
like  languages  for  which-the  underlying  logic  provides  a  well-defined  but  insufficient  semantic  basis. 
Indeed,  i.n  addition  to  the  usual  model-theoretic  semantics  of  the  logic,  .proof-theoretic  deduction 
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plays  a  crucial  role  in  understanding  logic  programs.  Moreover,  for  specific  implementations  of 
logic  programming,  e.g.  PROLOG,  the  notion  of  deduction  stategv  is  also  important. 

We  provided  semantics  for  two  types  of  logic  programming  languages  and  develop  applications 
of  these  semantics.  First,  we  propose  a  semantics  of  Prolog  programs  that  we  use  as  the  basis  of 
a  proof  method  for  termination  properties  of  Prolog  programs.  Second,  we  turn  to  the  temporal 
logic  programming  language  templog  of  Abadi  and  Manna,  develop  its  declarative  semantics, 
and  then  use  this  semantics  to  prove  a  completeness  result  for  a  fragment  of  temporal  logic  and  to 
study  templog’s  expressiveness. 

In  our  PROLOG  semantics,  a  program  is  viewed  as  a  function  mapping  a  goal  to  a  finite  or 
infinite  sequence  of  answer  substitutions.  The  meaning  of  a  program  is  then  given  by  the  least 
solution  of  a  system  of  functional  equations  associated  with  the  program.  These  equations  are 
taken  as  axioms  in  a  first-order  theory  in  which  various  program  properties,  especially  termination 
or  non-termination  properties,  can  be  proved.  The  method  extends  to  Prolog  programs  with 
extra-logical  features  such  as  cut. 

For  templog,  we  provide  two  equivalent  formulations  of  the  declarative  semantics:  in  terms 
of  a  minimal  temporal  Herbrand  model  and  in  terms  of  a  least  fixpoint.  Using  the  least  fixpoint 
semantics,  we  are  able  to  prove  that  TEMPLOG  is  a  fragment  of  temporal  logic  that  admits  a 
complete  proof  system.  This  semantics  also  enables  us  to  study  templog’s  expressiveness.  For 
this,  we  focus  on  the  propositional  fragment  of  templog  and  prove  that  the  expressiveness  of 
propositional  templog  queries  essentially  corresponds  to  that  of  finite  automata. 
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